Users login

Create an account »

JOIN XATRIX

Users login

Home » Hacking News » ESA-20020311-008-zlib, kernel, popt, rpm, rsync

ESA-20020311-008-zlib, kernel, popt, rpm, rsync

by Nikola Strahija on March 12th, 2002 The zlib shared library may attempt to free() a memory region more than once, potentially yielding a system exploitable by certain programs that use it for decompression. Because certain packages include their own zlib implementation or statically link against the system zlib, several packages need to be updated to properly fix this bug.


DETAIL
- ------
Matthias Clasen and Owen Taylor
discovered this bug while debugging a problem in the gdk-pixbuf
library[1]. The vulnerability arises from an error where a segment
of dynamically allocated memory may be "double free()'d", leading to
corruption of malloc's internal data structures.

This corruption leads to a buffer overflow in the zlib library which
affects any program that links against it. In order to properly fix
this bug the zlib, kernel, rpm and rsync packages all needed to be
updated. Other security and bug-fix updates were included in the
kernel and rsync packages.

A summary of all included updates is included below:

zlib (1.0.4)
------------
* Fixed double free in infblock.c.

kernel (1.0.27)
---------------
* Fixed double free in drivers/net/zlib.c.
* Fixed bug where users could kill system processes using lcall().

popt / rpm (1.0.14)
-------------------
* Re-linked against updated zlib.

rsync (1.0.6)
-------------
* Fixed double free in zlib/infblock.c.
* Fixed some more signedness issues related to ESA-20020125-004.
* Make rsync drop supplementary groups when changing UID's.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the name CAN-2002-0059 to this issue.

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0059

All users should upgrade immediately following the special SOLUTION.


SOLUTION
- --------
Users of the EnGarde Professional edition can use the Guardian Digital
Secure Network to update their systems automatically.

EnGarde Community users should upgrade to the most recent version
as outlined in this advisory. Updates may be obtained from:

ftp://ftp.engardelinux.org/pub/engarde/stable/updates/
http://ftp.engardelinux.org/pub/engarde/stable/updates/

Please read and understand this entire section before you attempt to
upgrade these packages.

Initial Steps
-------------
1) Verify the machine is either:

a) booted into a "standard" kernel; or
b) LIDS is disabled (/sbin/lidsadm -S -- -LIDS_GLOBAL)

2) Determine which kernels you currently have installed:

# rpm -qa --qf "%{NAME}n" | grep kernel

3) Download the new kernels that match what you have installed
(based on step 2) from the "UPDATED PACKAGES" section of this
advisory.

4) Download the rest of these updates (zlib, rpm, rsync).

Installation Steps
------------------
5) Install the new kernel packages. The packages will automagically
update /etc/lilo.conf by commenting out any old EnGarde images
and replacing them with the new ones:

# rpm --replacefiles -i ...

6) Upgrade the rest of the packages:

# rpm -Uvh popt*.rpm rpm*.rpm rsync*.rpm zlib*.rpm

7) Re-run LILO. If you see any errors then open /etc/lilo.conf in
your favorite text editor and make the appropriate changes:

# /sbin/lilo


Final Steps
-----------
8) If you did not see any LILO errors then your new kernel is now
installed and your machine is ready to be rebooted:

# reboot

A reboot is required to properly complete this update.


UPDATED PACKAGES
- ----------------
These updated packages are for EnGarde Secure Linux Community
Edition.

Source Packages:

SRPMS/kernel-2.2.19-1.0.27.src.rpm
MD5 Sum: e7af4de890c24cf9d88a05fdf1d355c5

SRPMS/rpm-3.0.6-1.0.14.src.rpm
MD5 Sum: 6e202c6d02f0b76b9f212ae74c54c211

SRPMS/rsync-2.4.6-1.0.6.src.rpm
MD5 Sum: c31cd404485d7d7022ade4802c4b6f6a

SRPMS/zlib-1.1.3-1.0.4.src.rpm
MD5 Sum: fad84ed3b4e0a5845abc786b131cf5e4


i386 Binary Packages:

i386/kernel-2.2.19-1.0.27.i386.rpm
MD5 Sum: d973f6a0b35d26f6be80744a2069af70

i386/kernel-lids-mods-2.2.19-1.0.27.i386.rpm
MD5 Sum: f80456e25b75dd05c15302e4f51c7091

i386/kernel-smp-lids-mods-2.2.19-1.0.27.i386.rpm
MD5 Sum: 99915dbb34d29d6111d6aa6595bfd932

i386/kernel-smp-mods-2.2.19-1.0.27.i386.rpm
MD5 Sum: cc3e0ae1208cfe1e4b5471ec6b8c5947

i386/popt-1.5-1.0.14.i386.rpm
MD5 Sum: 034d201a831a60bdb65561cd47179241

i386/rpm-3.0.6-1.0.14.i386.rpm
MD5 Sum: 2319064a6c566b5f7611bc0cb2ba8192

i386/rsync-2.4.6-1.0.6.i386.rpm
MD5 Sum: 8711acaf8861a69ff2f93e5c04be569a

i386/zlib-1.1.3-1.0.4.i386.rpm
MD5 Sum: 42afd482da0a6c845d221487ab274090


i686 Binary Packages:

i686/kernel-2.2.19-1.0.27.i686.rpm
MD5 Sum: 41f7dea256382e8fe8c931ae7a8b316b

i686/kernel-lids-mods-2.2.19-1.0.27.i686.rpm
MD5 Sum: 02f25cc810bbcef6c9da64ae9421304d

i686/kernel-smp-lids-mods-2.2.19-1.0.27.i686.rpm
MD5 Sum: 3ce8fd883a2afb9bbca42623882ac42c

i686/kernel-smp-mods-2.2.19-1.0.27.i686.rpm
MD5 Sum: 719eefbc2e4fbff557cf61dd972e8273

i686/popt-1.5-1.0.14.i686.rpm
MD5 Sum: e97853c5d1285f6aaf891e59cf71abe1

i686/rpm-3.0.6-1.0.14.i686.rpm
MD5 Sum: be79daaa06b387164a862601077f5e03

i686/rsync-2.4.6-1.0.6.i686.rpm
MD5 Sum: ae64525c60870f7153c79ee80a022941

i686/zlib-1.1.3-1.0.4.i686.rpm
MD5 Sum: f5dec2b85b56dcfcb88bd8526d4ab6e2


REFERENCES
- ----------
[1] http://bugzilla.gnome.org/show_bug.cgi?id=70594

Guardian Digital's public key:
http://ftp.engardelinux.org/pub/engarde/ENGARDE-GPG-KEY

Credit for the discovery/handling of this bug goes to:
Mark J Cox
Matthias Clasen
Owen Taylor

zlib's Official Web Site:
http://www.gzip.org/zlib

Security Contact: [email protected]
EnGarde Advisories: http://www.engardelinux.org/advisories.html

- --------------------------------------------------------------------------
$Id: ESA-20020311-008-zlib,v 1.7 2002/03/11 15:29:32 rwm Exp $
- --------------------------------------------------------------------------
Author: Ryan W. Maple,
Copyright 2002, Guardian Digital, Inc.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE8jOw4HD5cqd57fu0RAqqOAJ93I7HP5YUF7VTlMaHYFs1F8zPtRQCdE8Dc
L+6tGjQH3C4S/APi2XFwv+A=
=QDjZ
-----END PGP SIGNATURE-----



Newsletter signup

Signup to our monthly newsletter and stay in touch with IT news!

Free E-books

We've got ebooks! But they're not online. :( Please give us a few days to bring downloads back.

Contact

Have something to say or just wanna drop us a line? Please keep this in mind: to spam, we reply with spam.

Contact us »